Wednesday, June 2, 2010

Plaintext Over Tor is Still Plaintext

Recently, a few articles have been published regarding Tor, Wikileaks, and snooping data coming out of the Tor network. I write to remind our users, and people in search of privacy enhancing technology, that good software is just one part of the solution. Education is just as important. This is why there is a warning on the Tor download page about what Tor does and does not do. We also have a FAQ entry about this topic. Any plaintext communication over the Internet is open to intercept. This is true if the transport mechanism is email, http, tor, or carrier pigeons. Tor does not magically encrypt the Internet from end to end.

Tor provides anonymity and privacy by hiding where your Internet traffic is going and where it came from, but users must protect the security of their traffic by using encryption. Once you exit the last relay, you are back on the open Internet. Some web email providers, banks, and other sites use encryption by default when you log in, something you can check by looking for "https://" at the beginning of a URL. For more information, check out Ethan Zuckerman's comments on this topic.

For reference, these articles are unclear and blur concepts about Tor and Wikileaks. An article about Julian Assange of Wikileaks in The New Yorker is the source of the confusion. Ryan Sholin deliberates on one paragraph from the New Yorker story. Ethan Zuckerman responded to Ryan's thoughts about Tor here. We thanked EthanZ for the accurate response in an Identi.ca dent. It seems Slashdot and Wired Threat Level have picked up on just that one statement in the article by the New Yorker.

We hear from the Wikileaks folks that the premise behind these news articles is actually false -- they didn't bootstrap Wikileaks by monitoring the Tor network. But that's not the point. The point is that users who want to be safe need to be encrypting their traffic, whether they're using Tor or not.